Critical criteria for building successful market infrastructures – Part 2
As the European Commission considers ESMA’s recommendation of establishing a consolidated tape, the timing provides industry an opportunity to consider the components behind a successful market infrastructure and how to build such an infrastructure.
In the second article of this two-part series, Etrading Software highlights two additional success criteria that have become crucial to the operational effectiveness of a modern critical infrastructure: technology and cyber-security, based on its operational experience as the management services partner for the Derivatives Service Bureau (DSB).
Given the rapid pace of technological innovation, any market infrastructure that aims to provide high quality, low cost services must develop a technology strategy that allows the utility to keep pace with the evolution of technology best practice. Such best practices include the ability to scale rapidly to handle unexpected spikes in demand, leveraging open source software to allow easy migration to new technologies, and providing open APIs for easy connectivity to the service.
Scalability: Achieving scalability by implementing a new service in the public cloud is fast becoming accepted conventional wisdom and with good reason. The large public cloud operators have invested heavily in building an ecosystem of services to facilitate on-demand scaling. A new market infrastructure will be able to leverage this investment at minimal cost to achieve scalability.
A demonstration of the benefits of this scaling was provided by the DSB on 3rd January 2018, the second day of the start of MiFID II. Due to unprecedented demand on the DSB’s systems, the DSB operations team made the decision at 5am UTC to increase system capacity and this increased capacity was on-line by 8am UTC the same day.
Open source software: Ensuring the technology base of the service continues to evolve in line with the needs of the service in a cost-effective manner is an important consideration of any service. The adoption of open source software provides such a mechanism and is well-established in the technology industry. For example, Netflix, the popular media-services provider, has been explaining since 2010 the benefits of relying on open source software, including higher quality, lack of vendor lock-in and the ability to tap into the continued innovation of the open source community. Market infrastructures can realise these benefits in order to provide cost-effective service into the future.
Open APIs: Providing users with the ability to integrate the service into each user’s own proprietary internal workflows and systems is a key feature of open APIs. Such APIs should leverage open standards such as FIX and REST to allow users to benefit from their existing investments around such standards and ensure that users can utilise their own best in class tools for integration to the service. Furthermore, such APIs allow the utility to implement automated, zero touch solutions which lower operational cost and risk.
In the case of the DSB, the initial API was based on FIX . However the DSB’s industry consultation in 2017 resulted in the DSB also supporting an additional API based on REST . The DSB therefore subsequently released a REST API , and now maintains both APIs to cater for the differing needs of its stakeholders. Feedback from the DSB’s TAC has confirmed that many firms have integrated the DSB’s APIs into their core internal workflows, thereby demonstrating the benefits of such open APIs.
Cyber-security has markedly increased in importance on firms’ agendas over the past five years. As firms have scrambled to harden their systems in the light of evolving security threats, a common approach has been to focus on securing the perimeter of their infrastructure in order to keep out unwanted cyber-intruders. Building in cyber defences to an existing operational set-up is difficult, akin to tinkering with a running engine to make it more secure – not only is this difficult to do, but the overall design of the engine will still be lacking. However, building a brand new market infrastructure provides an opportunity to ensure that cybersecurity best practices are built into the life cycle of the technology right from the start, rather than applying a patchwork of solutions after the fact.
This upfront security consideration should include the creation of an independent post of Chief Information Security Officer (CISO) with a mandate to adopt a standards-based cyber-security framework systematically across the entire organisation, as follows:
CISO Role: The purpose of the CISO role should be to provide a focal point within the organisation for cyber-security practices and risk assessments across the organisation, in a manner that is independent of the utility’s service delivery organisation. This separation allows the CISO to have a different perspective from the operational managers whose focus and priorities are to achieve delivery milestones. An independent CISO provides an important check to ensure cyber-risks are appropriately considered and addressed, independent of the normal pressures of delivery.
In the example of the DSB, the cyber-security role was initially performed by the DSB’s technology delivery team. However, a new independent CISO role was approved by the DSB TAC in 2019 and the role became operational in January 2020 based on the above guideline and reporting directly into the TAC. The role has already proven effective when the DSB’s website became the target of a sustained cyber-attack between 17 and 20 February 2020. The CISO provided the leadership within the DSB to identify and address the issues, including incorporating the lessons learnt into the DSB’s operational processes.
Cyber-Security Framework: Historically, the cyber-security processes have been implemented within organisations in an ad-hoc manner and focused on addressing specific risks or shortcomings. Fortunately, two comprehensive standards-based frameworks now exist for the implementation of cyber-security in a systematic manner. ISO 27001 – Information Security Management is an international standard managed by ISO that allows independent third-party verification and accreditation of an organisation’s cyber-security processes. NIST Cyber-security Framework is a US-based standard for use by critical infrastructure owners and operators.
Market infrastructures should utilise one or both of these standards to guarantee adherence to cyber-security best practice. For non-US based infrastructures, the ISO standard may provide a better model given its explicit international remit.
A time for consensus
The next step is for industry to conduct a considered debate about how criteria such as data quality, governance, technology and security can be best implemented for new market infrastructures. The outcome of these efforts can also feed through to more informed policy and regulatory decision making.
Industry associations such as FIX and ICMA have set up working groups specifically around the provision of a consolidated tape. Etrading Software will share its experiences of best practice approaches for building and operating such market infrastructures in such fora and we encourage all stakeholders to do the same. Such collaboration is essential to gain consensus within the industry on the best way to create and operate a new kind of market infrastructure based on appropriate governance, and modern, flexible and secure architectures.